US6658569B1 - Secret key cryptographic process for protecting a computer system against attacks by physical analysis - Google Patents

Secret key cryptographic process for protecting a computer system against attacks by physical analysis Download PDF

Info

Publication number
US6658569B1
US6658569B1 US09/334,687 US33468799A US6658569B1 US 6658569 B1 US6658569 B1 US 6658569B1 US 33468799 A US33468799 A US 33468799A US 6658569 B1 US6658569 B1 US 6658569B1
Authority
US
United States
Prior art keywords
bits
partial
transformation
function
calculation process
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US09/334,687
Other languages
English (en)
Inventor
Jacques Patarin
Louis Goubin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CP8 Technologies SA
Original Assignee
Bull CP8 SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bull CP8 SA filed Critical Bull CP8 SA
Assigned to BULL CP8 reassignment BULL CP8 ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GOUBIN, LOUIS, PATARIN, JACQUES
Application granted granted Critical
Publication of US6658569B1 publication Critical patent/US6658569B1/en
Assigned to CP8 TECHNOLOGIES reassignment CP8 TECHNOLOGIES ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BULL CP8
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/723Modular exponentiation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7223Randomisation as countermeasure against side channel attacks
    • G06F2207/7233Masking, e.g. (A**e)+r mod n
    • G06F2207/7238Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7266Hardware adaptation, e.g. dual rail logic; calculate add and double simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the present invention relates to a process for protecting a computer system implementing a cryptographic algorithm that uses a secret key. More precisely, the purpose of the process is to produce a version of the algorithm that is not vulnerable to a certain type of physical attack—known as Differential Power Analysis or High-Order Differential Power Analysis—aimed at obtaining information on the secret key through a study of the computer system's electric power consumption during the execution of the calculation.
  • Differential Power Analysis or High-Order Differential Power Analysis
  • the cryptographic algorithms considered herein use a secret key to calculate output information as a function of input information; this can involve an operation for encryption, decryption, signature, signature verification, authentication or non-repudiation. They are constructed in such a way that in practice, an attacker who knows the inputs and the outputs cannot deduce any information on the secret key itself.
  • DPA Differential Power Analysis
  • the DES algorithm is executed in 16 steps known as rounds (see FIG. 1 a ).
  • a transformation F into 32 bits is performed.
  • This transformation F uses eight nonlinear transformations of 6 bits to four bits, each of which is coded into a table called an S box (see FIG. 1 b , in which the S boxes are marked S 1 , S 2 , . . . , S 8 .
  • a DPA attack on the DES can be implemented in the following way:
  • 1st step Power consumption measurements are made on the first round, for 1,000 DES calculations. The input values of these 1,000 calculations are marked E[1], . . . , E[1,000]. The corresponding 1,000 power consumption curves measured during these calculations are marked C[1], . . . , C[1,000]. The average curve CM of the 1,000 consumption curves is also calculated.
  • Steps 2 and 3 are repeated with a target bit b output from the second S box, then from the third S box, and so on, through the eighth S box.
  • 48 bits of the secret key are eventually obtained.
  • HO-DPA High-Order Differential Power Analysis
  • the object of the process that is the subject of the present invention is to eliminate the risks of DPA or HO-DPA attacks on computer systems using secret or private key cryptography.
  • another subject of the present invention is a modification of the cryptographic calculation process implemented by protected computer systems using cryptography such that the above-mentioned fundamental hypothesis is no longer verified, in other words, no intermediate variable is dependent on the power consumption of an easily accessible subsystem of the private or secret key, attacks of the DPA or HO-DPA type thus being rendered inoperative.
  • the process for protecting a computer system implementing a standard cryptographic calculation process that uses a secret key is remarkable in that the cryptographic calculation process is separated into several distinct calculation parts, executed in parallel and producing partial intermediate results distinct from those of the standard cryptographic calculation, and in that the final value obtained by the standard calculation without a separation is reconstructed from the distinct partial intermediate results.
  • the term standard cryptographic calculation process is intended to mean any sequential or successive calculation process that makes it possible to obtain encrypted values, decrypted values, and signature, signature verification, authentication, and non-repudiation values.
  • a process of this type makes it possible to prevent DPA or HO-DPA type attacks against embedded systems equipped with cryptographic calculation functions, such as smart cards dedicated to credit card, ATM card, access control card or similar functions.
  • FIG. 2 represents a general flow chart illustrating the process that is the subject of the invention
  • FIG. 3 a represents an example illustrating a non-limiting mode of implementation of the process that is the subject of the present invention
  • FIG. 3 b represents an example illustrating a flow chart of a particular implementation of the process that is the subject of the invention, applied to a nonlinear transformation used in a standard cryptographic calculation process such as the DES;
  • FIG. 3 c represents a variant of the implementation of the process that is the subject of the invention as illustrated in FIG. 2;
  • FIG. 3 d represents an example illustrating a flow chart of another particular implementation of the process that is the subject of the invention, based on a secret bijective transformation applied to a nonlinear transformation used in a standard cryptographic calculation process such as the DES;
  • FIG. 3 e represents an example illustrating a flow chart of another particular implementation of the process that is the subject of the invention, based on polynomial functions, applied to a nonlinear transformation used in a standard cryptographic calculation process such as the DES.
  • the process that is the subject of the present invention consists, for a standard cryptographic process that uses a secret or private key Ks, of modifying the cryptographic calculation process so that the above-mentioned fundamental hypothesis is no longer verified, and there is no longer any intermediate variable calculated, according to the process that is the subject of the present invention, that is dependent on the knowledge of an easily accessible subsystem of the secret key.
  • a) the standard cryptographic calculation process is separated into several distinct calculation process parts PPC 1 through PPC k executed in parallel, then b) the final value v corresponding to that obtained by the standard cryptographic calculation process without a separation is reconstructed from the distinct partial intermediate results v 1 through v k obtained by implementing the above-mentioned distinct calculation process parts PPC 1 through PPC k .
  • i be a subscript, in the broadest sense, between 1 and k.
  • a “translation” of the algorithm is then performed by replacing each intermediate variable v that is dependent on input (or output) data, with the k variables v 1 , v 2 , . . . , v k .
  • the following additional condition is imposed on the function f:
  • the function f is such that the transformations to be performed on v 1 , v 2 , . . . , or v k during the calculation instead of the usual transformations performed on v can be executed without having to recalculate v.
  • a first example relative to the protection of the DES is described in connection with FIG. 3 a.
  • the first two categories correspond to linear transformations on the bits of the variable v.
  • Condition No. 2 is also very easy to satisfy: one need only replace the calculation of v ⁇ c with v 1 ⁇ c or v 2 ⁇ c, which fulfills Condition No. 2.
  • A designates a secret, random transformation of 12 bits to 4 bits.
  • the first (new) S box corresponds to the table of the transformation (v 1 , v 2 ) ⁇ A(v 1 , v 2 ) which associates (v 1 , v 2 ) with A(v 1 , v 2 )
  • the second (new) S box corresponds to the table of the transformation (v 1 , v 2 ) ⁇ S(v 1 ⁇ v 2 ) ⁇ A(v 1 , v 2 ) which associates (v 1 , v 2 ) with S(v 1 ⁇ v 2 ) ⁇ A(v 1 , v 2 ).
  • the presence of the random function A makes it possible to guarantee Condition No. 1.
  • the utilization of tables makes it possible to avoid having to calculate v 1 ⁇ v 2 and thus makes it possible to satisfy Condition No. 2.
  • the transformation or conversion tables can be stored in a ROM of the smart card when the computer system is constituted by a smart card.
  • the separation as represented in FIG. 3 b , can be into k parts.
  • each nonlinear transformation applied to an intermediate variable playing the role of an input variable E of the standard cryptographic calculation process without a separation is replaced by a partial nonlinear transformation of km bits to kn bits applied to all of the partial intermediate variables v 1 through v k .
  • this partial nonlinear transformation is described and implemented by k partial conversion tables in which the n output bits v′ 1 or v′ 2 , . . . , or v′ k of the transformation are read at an address that is a function of the km input bits.
  • v 0 ⁇ ( v 1 ⁇ v 2 )
  • is a secret, bijective function of 6 bits to 6 bits, and where A designates a secret, random transformation of 6 bits to 4 bits.
  • the first (new) S box corresponds to the table of the transformation v 0 ⁇ A(v 0 ) which associates v 0 with A(v 0 ) and the second (new) S box corresponds to the table of the transformation v 0 ⁇ S( ⁇ ⁇ 1 (v 0 )) ⁇ A(v 0 ) which associates v 0 with S( ⁇ ⁇ 1 (v 0 )) ⁇ A(v 0 ).
  • f(v′ 1 , v′ 2 ) v′.
  • the presence of the random function A makes it possible to guarantee Condition No. 1.
  • FIG. 3 d represents a corresponding calculation step of the nonlinear transformation type used within the framework of a standard cryptographic calculation process such as the DES, as modified in accordance with the process that is the subject of the invention, according to Variant No. 2.
  • each nonlinear transformation applied to an intermediate variable playing the role of an input variable E of the standard calculation process is replaced by a partial nonlinear transformation of km bits to kn bits applied to all of the partial intermediate variables v 1 through v k .
  • This partial nonlinear transformation is described and implemented by k conversion tables, each of the inputs of the conversion tables receiving a value obtained by applying a secret bijective function ⁇ j to the function f(v 1 , . . . , v k ) of the partial intermediate variables according to the relation ⁇ j ⁇ f(v 1 , . . . , v k ) with j ⁇ [1, k].
  • the above-mentioned application ⁇ j ⁇ f(v 1 , . . . , v k ) is performed by direct evaluation of a resulting value, which, applied to the input of the corresponding conversion table 1 through k, makes it possible to read n output bits of the transformation v′ 1 or v′ 2 or . . . v′ k at an address that is a function of these m input bits.
  • the bijective functions ⁇ 1 and ⁇ k are identical.
  • a secret, bijective linear function of 6 bits to 6 bits is chosen for ⁇ .
  • all of the 6-bit values are considered as a vectorial space with a dimension of 6 in the finite field F 2 with two elements.
  • choosing ⁇ amounts to choosing a random invertible six-by-six matrix whose coefficients equal 0 or 1. With this choice of ⁇ , it is easy to see that Condition No. 2 is satisfied. In effect—in order to calculate ⁇ (v 1 ⁇ v 2 )—one need only calculate ⁇ (v 1 ), then ⁇ (v 2 ), and finally, calculate the “exclusive-OR” of the two results obtained.
  • ⁇ ( u 1 , u 2 , u 3 , u 4 , u 5 , u 6 ) u 1 ⁇ u 2 ⁇ u 4 , u 1 ⁇ u 2 ⁇ u 4 ⁇ u 6 , u 2 ⁇ u 3 ⁇ u 5 , u 1 ⁇ u 2 ⁇ u 3 ⁇ u 5 , u 2 ⁇ u 3 ⁇ u 4 ⁇ u 5 , ⁇ u 3 ⁇ u 4 ⁇ u 6 )
  • v 1 (v 1.1 , v 1.2 , v 1.3 , v 1.4 , v 1.5 , v 1.6
  • v 2 (v 2.1 , v 2.2 , v 2.3 , v 2.3 , v 2.5 , v 2.6 )
  • ⁇ ( v 1 ) ( v 1.1 ⁇ v 1.2 ⁇ v 1.4 , v 1.1 ⁇ v 1.2 ⁇ v 1.4 ⁇ v 1.6 , v 1.2 ⁇ v 1.3 ⁇ v 1.5 , v 1.1 ⁇ v 1.2 ⁇ v 1.3 ⁇ v 1.5 , v 1.2 ⁇ v 1.3 ⁇ v 1.4 ⁇ v 1.5 , v 1.3 ⁇ v 1.4 ⁇ v 1.6 );
  • ⁇ ( v 2 ) v 2.1 ⁇ v 2.2 ⁇ v 2.4 , v 2.1 ⁇ v 2.2 ⁇ v 2.4 ⁇ v 2.6 , v 2.2 ⁇ v 2.3 ⁇ v 2.5 ⁇ , v 2.1 ⁇ v 2.2 ⁇ v 2.3 ⁇ v 2.5 , v 2.2 ⁇ v 2.3 ⁇ v 2.4 ⁇ v 2.5 , v 2.3 ⁇ v 2.4 ⁇ v 2.6 ).
  • a secret, bijective quadratic function of 6 bits to 6 bits is chosen for ⁇ .
  • the term “quadratic” in this case indicates that each value bit output from the function ⁇ is expressed by a polynomial function with a degree of two of the 6 input bits, which are identified with 6 elements of the finite field F 3 .
  • ⁇ ( v 1 ⁇ v 2 ) ⁇ ( v 1 , v 1 ) ⁇ ( v 1 , v 2 ) ⁇ ( v 2 , v 1 ) ⁇ ( v 2 , v 2 )
  • Variant No. 2 is used with the same secret bijection ⁇ (of six bits to 6 bits) and the same secret random function A (of six bits to 6 bits) in the new implementation of each nonlinear transformation presented in the form of an S box.
  • 3 b and 3 d consist of a nonlinear transformation of m bits to n bits, described by conversion tables in which the n output bits of the transformation are read at an address that is a function of the m input bits; according to the process that is the subject of the invention, each nonlinear transformation applied to an intermediate variable of the standard cryptographic calculation process without a separation is replaced by a partial nonlinear transformation of km bits to kn bits applied to all of the partial intermediate variables v 1 through v k .
  • (k ⁇ 1)n output bits of this transformation are calculated as a polynomial function of the km input bits of the variables v 1 , v 2 , . . . , v k in accordance with the relations:
  • n remaining bits v′ k of the output variable are then obtained, for example, by reading a nonlinear conversion table in which these n bits are read at an address that is a function of the km input bits.
  • the Triple DES consists of sequentially performing encryption/decryption operations using secret keys.
  • the principle consists of using the DES algorithm three times in a row to encrypt a message, beginning by performing a DES operation in the encryption mode with key No. 1, then a DES operation in the decryption mode with key No. 2, and lastly, another DES operation in the encryption mode with key No. 1.
  • the DPA type attack is possible in the same way as for the DES: based on the power consumption measurements performed on the first round of the first DES operation, 48 bits of key No. 1 are found, then by analyzing the second round, the 8 remaining bits of key No. 1 are found. Knowing key No. 1, one therefore knows the inputs of the second DES operation, and can apply the same attack to find key No. 2.
  • the protection of the algorithm can work exactly as in the case of the simple DES described in the first example above: the same function f is used to perform the “separation” of the intermediate variables, and the same transformations of the algorithm.
  • RSA is the most famous of the asymmetric cryptographic algorithms. It was developed by Rivest, Shamir and Adleman in 1978. For a more detailed description of this algorithm, it would be useful to refer to the documents below:
  • PKCS #1 RSA Encryption Standard , Version 2, 1998, available at the following address: http://ftp.rsa.com/pub/pkcs/doc/pkcs-1v2.doc,
  • the RSA algorithm uses a whole number n that is the product of two large prime numbers p and q, and a whole number e, prime with ppcm(p ⁇ 1, q ⁇ 1), and such that e ⁇ 1 mod ppcm(p ⁇ 1, q ⁇ 1).
  • the integers n and e constitute the public key.
  • the process that is the subject of the present invention also applies to the protection of the RSA algorithm. It uses a separation of each intermediate variable v with values in the multiplicative group of Z/nZ, i.e., all of the modulo n integers that have an inverse that is also modulo n, that occur during the calculation and are dependent on input or output data, into two variables v 1 and v 2 .
  • this function f makes it possible to satisfy Condition No. 1.
  • ⁇ z ⁇ 1>> is replaced by ⁇ z 1 ⁇ 1 and z 2 ⁇ 1>>;
  • ⁇ z ⁇ z 2 mod n is replaced by ⁇ z 1 ⁇ z 1 2 mod n and z 2 ⁇ z 2 2 mod n >>;
  • ⁇ z ⁇ z ⁇ x mod n>> is replaced by ⁇ z 1 ⁇ z 1 ⁇ x 1 mod n and z 2 ⁇ z 2 ⁇ x 2 mod n>>.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computational Mathematics (AREA)
  • Signal Processing (AREA)
  • Mathematical Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Pure & Applied Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
US09/334,687 1999-02-04 1999-06-17 Secret key cryptographic process for protecting a computer system against attacks by physical analysis Expired - Lifetime US6658569B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
FR9901289A FR2789535B1 (fr) 1999-02-04 1999-02-04 Procede de securisation d'un ensemble electronique de cryptographie a cle secrete contre les attaques par analyse physique

Publications (1)

Publication Number Publication Date
US6658569B1 true US6658569B1 (en) 2003-12-02

Family

ID=35004509

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/334,687 Expired - Lifetime US6658569B1 (en) 1999-02-04 1999-06-17 Secret key cryptographic process for protecting a computer system against attacks by physical analysis

Country Status (9)

Country Link
US (1) US6658569B1 (https=)
EP (1) EP1068695B1 (https=)
JP (2) JP2002536911A (https=)
AT (1) ATE464714T1 (https=)
DE (1) DE60044168D1 (https=)
ES (1) ES2344399T3 (https=)
FR (1) FR2789535B1 (https=)
PT (1) PT1068695E (https=)
WO (1) WO2000046953A1 (https=)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010012360A1 (en) * 2000-01-31 2001-08-09 Mehdi-Laurent Akkar Method of executing a cryptographic protocol between two electronic entities
US20030005206A1 (en) * 2000-01-19 2003-01-02 Oliver Kniffler Method for operating a microprocessor configuration and microprocessor configuration
US20030044003A1 (en) * 2001-08-14 2003-03-06 International Business Machines Corporation Space-efficient, side-channel attack resistant table lookups
US20040028234A1 (en) * 2000-12-26 2004-02-12 Stmicroelectronics Sa Logic circuit with variable internal polarities
US20040193898A1 (en) * 2003-01-08 2004-09-30 Sony Corporation Encryption processing apparatus, encryption processing method, and computer program
US20040220984A1 (en) * 2002-11-04 2004-11-04 Dudfield Anne Elizabeth Connection based denial of service detection
US20050027998A1 (en) * 2003-08-01 2005-02-03 Yannick Teglia Protection of several identical calculations
US20050114658A1 (en) * 2003-11-20 2005-05-26 Dye Matthew J. Remote web site security system
US20050232430A1 (en) * 2004-04-16 2005-10-20 Gebotys Catherine H Security countermeasures for power analysis attacks
US20050259814A1 (en) * 2004-05-24 2005-11-24 Gebotys Catherine H Table masking for resistance to power analysis attacks
US20050271211A1 (en) * 2004-05-18 2005-12-08 Itaru Takemura Key management system and playback apparatus
WO2006046187A1 (en) * 2004-10-28 2006-05-04 Koninklijke Philips Electronics N.V. Method and system for obfuscating a cryptographic function
US7050581B1 (en) * 1999-04-09 2006-05-23 Cp8 Technologies Method for making secure one or several computer installations using a common secret key algorithm, use of the method and a computer system utilizing the method
US7123717B1 (en) * 1999-10-14 2006-10-17 Gemplus Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm
EP1722502A1 (en) * 2005-05-10 2006-11-15 Research In Motion Limited Key masking for cryptographic processes
GB2428358A (en) * 2005-07-12 2007-01-24 Samsung Electronics Co Ltd Cryptographic system using split key to resist Differential Power Analysis (DPA) attacks
US20070211890A1 (en) * 2006-03-07 2007-09-13 Research In Motion Limited Table splitting for cryptographic processes
US20080130869A1 (en) * 2002-07-09 2008-06-05 Mehdi-Laurent Akkar Method to Secure an Electronic Assembly Against Attacks by Error Introduction
US20090055657A1 (en) * 2005-03-25 2009-02-26 Rieko Asai Program Converting Device, Secure Processing Device, Computer Program, and Recording Medium
US7500112B1 (en) * 2000-01-08 2009-03-03 Nxp B.V. Cryptographic device and methods for defeating physical analysis
US20090060176A1 (en) * 2005-04-28 2009-03-05 Kaoru Yokota Program converter, encrypting device, and encrypting method
US20090132830A1 (en) * 2005-10-31 2009-05-21 Tomoyuki Haga Secure processing device, secure processing method, encrypted confidential information embedding method, program, storage medium, and integrated circuit
CN101848081A (zh) * 2010-06-11 2010-09-29 中国科学院软件研究所 一种s盒构造方法及s盒
US20110044450A1 (en) * 2009-08-21 2011-02-24 Electronics And Telecommunications Research Institute Method and apparatus for processing f-function in seed encryption system
US8538017B2 (en) 2010-09-17 2013-09-17 Kabushiki Kaisha Toshiba Encryption device
US20130332744A1 (en) * 2012-06-08 2013-12-12 Advanced Micro Devices, Inc. Method and system for accelerating cryptographic processing
US8619985B2 (en) 2010-04-27 2013-12-31 Research In Motion Limited Table splitting for cryptographic processes
US10892891B2 (en) * 2019-03-13 2021-01-12 Digital 14 Llc System, method, and computer program product for zero round trip secure communications based on two noisy secrets
US10951415B2 (en) * 2019-03-13 2021-03-16 Digital 14 Llc System, method, and computer program product for implementing zero round trip secure communications based on noisy secrets with a polynomial secret sharing scheme

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3926532B2 (ja) * 2000-03-16 2007-06-06 株式会社日立製作所 情報処理装置、情報処理方法、及びカード部材
JP4640663B2 (ja) * 2000-06-30 2011-03-02 ネッツエスアイ東洋株式会社 秘密情報生成装置及び方法
DE10061997A1 (de) * 2000-12-13 2002-07-18 Infineon Technologies Ag Kryptographieprozessor
JP4596686B2 (ja) 2001-06-13 2010-12-08 富士通株式会社 Dpaに対して安全な暗号化
AU2003207931A1 (en) * 2002-03-07 2003-09-16 Axalto Sa Method for making safe an electronic cryptography assembly with a secret key
JP2007189659A (ja) * 2005-12-15 2007-07-26 Toshiba Corp 暗号化装置、暗号化方法及び暗号化プログラム
FR2941342B1 (fr) * 2009-01-20 2011-05-20 Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst Circuit de cryptographie protege contre les attaques en observation, notamment d'ordre eleve.
JP6365076B2 (ja) * 2014-07-31 2018-08-01 大日本印刷株式会社 データ変換装置
JP6617375B2 (ja) * 2018-05-28 2019-12-11 大日本印刷株式会社 データ変換装置
FR3110311B1 (fr) 2020-05-14 2022-07-01 Zama cryptographiques d’évaluation de fonctions à valeurs réelles sur des données chiffrées
FR3134909B1 (fr) 2022-04-25 2024-06-21 Commissariat Energie Atomique Protection contre les attaques par canal auxiliaire a l’aide d’un masquage carre

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4993068A (en) * 1989-11-27 1991-02-12 Motorola, Inc. Unforgeable personal identification system
US5588059A (en) * 1995-03-02 1996-12-24 Motorola, Inc. Computer system and method for secure remote communication sessions
WO1998052319A1 (en) 1997-05-12 1998-11-19 Yeda Research And Development Co. Ltd. Improved method and apparatus for protecting public key schemes from timing and fault attacks
US5850443A (en) * 1996-08-15 1998-12-15 Entrust Technologies, Ltd. Key management system for mixed-trust environments

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH02259689A (ja) * 1989-03-30 1990-10-22 Matsushita Electric Ind Co Ltd データ転置装置
JPH0651698A (ja) * 1992-06-03 1994-02-25 Nippon Telegr & Teleph Corp <Ntt> データ攪拌装置およびデータ攪拌方法
EP0839418B1 (en) * 1996-05-20 2003-05-02 Koninklijke Philips Electronics N.V. Cryptographic method and apparatus for non-linearly merging a data block and a key
JPH10153955A (ja) * 1996-11-25 1998-06-09 Nippon Signal Co Ltd:The 暗号装置
JP3035889B2 (ja) * 1997-04-23 2000-04-24 松下電器産業株式会社 暗号化処理装置、及び、復号化処理装置
JP3782210B2 (ja) * 1997-06-30 2006-06-07 日本電信電話株式会社 暗号装置
JP3017725B2 (ja) * 1998-01-27 2000-03-13 日本電信電話株式会社 データ変換装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4993068A (en) * 1989-11-27 1991-02-12 Motorola, Inc. Unforgeable personal identification system
US5588059A (en) * 1995-03-02 1996-12-24 Motorola, Inc. Computer system and method for secure remote communication sessions
US5850443A (en) * 1996-08-15 1998-12-15 Entrust Technologies, Ltd. Key management system for mixed-trust environments
WO1998052319A1 (en) 1997-05-12 1998-11-19 Yeda Research And Development Co. Ltd. Improved method and apparatus for protecting public key schemes from timing and fault attacks

Cited By (63)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7050581B1 (en) * 1999-04-09 2006-05-23 Cp8 Technologies Method for making secure one or several computer installations using a common secret key algorithm, use of the method and a computer system utilizing the method
US7123717B1 (en) * 1999-10-14 2006-10-17 Gemplus Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm
US7500112B1 (en) * 2000-01-08 2009-03-03 Nxp B.V. Cryptographic device and methods for defeating physical analysis
US7020730B2 (en) * 2000-01-19 2006-03-28 Infineon Technologies Ag Method for operating a microprocessor configuration and microprocessor configuration
US20030005206A1 (en) * 2000-01-19 2003-01-02 Oliver Kniffler Method for operating a microprocessor configuration and microprocessor configuration
US8612761B2 (en) * 2000-01-31 2013-12-17 Oberthur Card Systems Sa Method of executing a cryptographic protocol between two electronic entities
US20010012360A1 (en) * 2000-01-31 2001-08-09 Mehdi-Laurent Akkar Method of executing a cryptographic protocol between two electronic entities
US20040028234A1 (en) * 2000-12-26 2004-02-12 Stmicroelectronics Sa Logic circuit with variable internal polarities
US7290151B2 (en) * 2000-12-26 2007-10-30 Stmicroelectronics Sa Logic circuit with variable internal polarities
US20030044003A1 (en) * 2001-08-14 2003-03-06 International Business Machines Corporation Space-efficient, side-channel attack resistant table lookups
US7142670B2 (en) * 2001-08-14 2006-11-28 International Business Machines Corporation Space-efficient, side-channel attack resistant table lookups
US7826610B2 (en) * 2002-07-09 2010-11-02 Gemalto Sa Method to secure an electronic assembly against attacks by error introduction
US20080130869A1 (en) * 2002-07-09 2008-06-05 Mehdi-Laurent Akkar Method to Secure an Electronic Assembly Against Attacks by Error Introduction
US20040220984A1 (en) * 2002-11-04 2004-11-04 Dudfield Anne Elizabeth Connection based denial of service detection
US8191136B2 (en) * 2002-11-04 2012-05-29 Riverbed Technology, Inc. Connection based denial of service detection
US7984305B2 (en) * 2003-01-08 2011-07-19 Sony Corporation Encryption processing apparatus and encryption processing method for setting a mixed encryption processing sequence
US20040193898A1 (en) * 2003-01-08 2004-09-30 Sony Corporation Encryption processing apparatus, encryption processing method, and computer program
US7885408B2 (en) * 2003-08-01 2011-02-08 Stmicroelectronics S.A. Protection of several identical calculations
US20050027998A1 (en) * 2003-08-01 2005-02-03 Yannick Teglia Protection of several identical calculations
US20050114658A1 (en) * 2003-11-20 2005-05-26 Dye Matthew J. Remote web site security system
US7899190B2 (en) 2004-04-16 2011-03-01 Research In Motion Limited Security countermeasures for power analysis attacks
US20050232430A1 (en) * 2004-04-16 2005-10-20 Gebotys Catherine H Security countermeasures for power analysis attacks
US8638944B2 (en) 2004-04-16 2014-01-28 Blackberry Limited Security countermeasures for power analysis attacks
US8325928B2 (en) 2004-04-16 2012-12-04 Research In Motion Limited Security countermeasure for power analysis attacks
US20050271211A1 (en) * 2004-05-18 2005-12-08 Itaru Takemura Key management system and playback apparatus
US7848514B2 (en) 2004-05-24 2010-12-07 Research In Motion Limited Table masking for resistance to power analysis attacks
US8184806B2 (en) 2004-05-24 2012-05-22 Research In Motion Limited Table masking for resistance to power analysis attacks
US20110033043A1 (en) * 2004-05-24 2011-02-10 Catherine Helen Gebotys Table masking for resistance to power analysis attacks
US20050259814A1 (en) * 2004-05-24 2005-11-24 Gebotys Catherine H Table masking for resistance to power analysis attacks
KR101226167B1 (ko) 2004-10-28 2013-01-24 이르데토 코포레이트 비.브이. 암호 함수 모호화 방법 및 시스템
CN101048969B (zh) * 2004-10-28 2012-04-04 耶德托公司 用于扰乱密码函数的方法和系统
WO2006046187A1 (en) * 2004-10-28 2006-05-04 Koninklijke Philips Electronics N.V. Method and system for obfuscating a cryptographic function
US7881466B2 (en) 2004-10-28 2011-02-01 Irdeto B.V. Method and system for obfuscating a cryptographic function
US20090122978A1 (en) * 2004-10-28 2009-05-14 Koninklijke Philips Electronics, N.V. Method and system for obfuscating a cryptographic function
US8090956B2 (en) 2005-03-25 2012-01-03 Panasonic Corporation Program converting device, secure processing device, computer program, and recording medium
US20090055657A1 (en) * 2005-03-25 2009-02-26 Rieko Asai Program Converting Device, Secure Processing Device, Computer Program, and Recording Medium
US7724897B2 (en) 2005-04-28 2010-05-25 Panasonic Corporation Program converter, encrypting device, and encrypting method
US20100195822A1 (en) * 2005-04-28 2010-08-05 Kaoru Yokota Program converter, encrypting device, and encrypting method
US8184805B2 (en) 2005-04-28 2012-05-22 Panasonic Corporation Program converter, encrypting device, and encrypting method
US20090060176A1 (en) * 2005-04-28 2009-03-05 Kaoru Yokota Program converter, encrypting device, and encrypting method
EP1722502A1 (en) * 2005-05-10 2006-11-15 Research In Motion Limited Key masking for cryptographic processes
EP1724961A1 (en) * 2005-05-10 2006-11-22 Research In Motion Limited Key Masking for Cryptographic Processes using Combination Random Mask Values
US20060256963A1 (en) * 2005-05-10 2006-11-16 Research In Motion Limited Key masking for cryptographic processes
US7778419B2 (en) 2005-05-10 2010-08-17 Research In Motion Limited Key masking for cryptographic processes
GB2428358B (en) * 2005-07-12 2008-04-16 Samsung Electronics Co Ltd Crytographic system and method for encrypting input data
US20080044010A1 (en) * 2005-07-12 2008-02-21 Ihor Vasyltasov Cryptographic system and method for encrypting input data
GB2428358A (en) * 2005-07-12 2007-01-24 Samsung Electronics Co Ltd Cryptographic system using split key to resist Differential Power Analysis (DPA) attacks
US8656175B2 (en) * 2005-10-31 2014-02-18 Panasonic Corporation Secure processing device, secure processing method, encrypted confidential information embedding method, program, storage medium, and integrated circuit
CN101300775B (zh) * 2005-10-31 2012-12-19 松下电器产业株式会社 安全处理装置、安全处理方法、加密信息嵌入方法、程序、存储介质和集成电路
US20090132830A1 (en) * 2005-10-31 2009-05-21 Tomoyuki Haga Secure processing device, secure processing method, encrypted confidential information embedding method, program, storage medium, and integrated circuit
US7720225B2 (en) 2006-03-07 2010-05-18 Research In Motion Limited Table splitting for cryptographic processes
US20070211890A1 (en) * 2006-03-07 2007-09-13 Research In Motion Limited Table splitting for cryptographic processes
US8615078B2 (en) * 2009-08-21 2013-12-24 Electronics And Telecommunications Research Institute Method and apparatus for processing F-function in seed encryption system
US20110044450A1 (en) * 2009-08-21 2011-02-24 Electronics And Telecommunications Research Institute Method and apparatus for processing f-function in seed encryption system
US8619985B2 (en) 2010-04-27 2013-12-31 Research In Motion Limited Table splitting for cryptographic processes
CN101848081A (zh) * 2010-06-11 2010-09-29 中国科学院软件研究所 一种s盒构造方法及s盒
US8538017B2 (en) 2010-09-17 2013-09-17 Kabushiki Kaisha Toshiba Encryption device
US20130332744A1 (en) * 2012-06-08 2013-12-12 Advanced Micro Devices, Inc. Method and system for accelerating cryptographic processing
US9342712B2 (en) * 2012-06-08 2016-05-17 Advanced Micro Devices, Inc. Method and system for accelerating cryptographic processing
US10892891B2 (en) * 2019-03-13 2021-01-12 Digital 14 Llc System, method, and computer program product for zero round trip secure communications based on two noisy secrets
US10951415B2 (en) * 2019-03-13 2021-03-16 Digital 14 Llc System, method, and computer program product for implementing zero round trip secure communications based on noisy secrets with a polynomial secret sharing scheme
US20210167967A1 (en) * 2019-03-13 2021-06-03 Digital 14 Llc System, method, and computer program product for implementing zero round trip secure communications based on noisy secrets with a polynomial secret sharing scheme
US11563584B2 (en) * 2019-03-13 2023-01-24 Digital 14 Llc System, method, and computer program product for implementing zero round trip secure communications based on noisy secrets with a polynomial secret sharing scheme

Also Published As

Publication number Publication date
FR2789535B1 (fr) 2001-09-28
FR2789535A1 (fr) 2000-08-11
WO2000046953A1 (fr) 2000-08-10
ATE464714T1 (de) 2010-04-15
DE60044168D1 (de) 2010-05-27
EP1068695A1 (fr) 2001-01-17
JP2002536911A (ja) 2002-10-29
JP2010072664A (ja) 2010-04-02
ES2344399T3 (es) 2010-08-26
EP1068695B1 (fr) 2010-04-14
PT1068695E (pt) 2010-07-13

Similar Documents

Publication Publication Date Title
US6658569B1 (en) Secret key cryptographic process for protecting a computer system against attacks by physical analysis
Park et al. Side-channel attacks on post-quantum signature schemes based on multivariate quadratic equations:-rainbow and uov
Carlet et al. Higher-order masking schemes for s-boxes
Trichina et al. Simplified adaptive multiplicative masking for AES
Kundu et al. Higher-order masked saber
US8595513B2 (en) Method and system for protecting a cryptography device
US8971526B2 (en) Method of counter-measuring against side-channel attacks
US8345863B2 (en) Method of countering side-channel attacks on elliptic curve cryptosystem
JP2008252299A (ja) 暗号処理システム及び暗号処理方法
KR20020025630A (ko) 비밀 정보의 처리 장치, 프로그램 또는 시스템
Coron et al. High order masking of look-up tables with common shares
KR20080113277A (ko) 프로그램 난독화시스템, 프로그램 난독화장치 및 프로그램 난독화방법
JP4977300B2 (ja) 暗号法及び装置
Kebache et al. Reducing the Encrypted Data Size: Healthcare with IoT-Cloud Computing Applications.
KR100834096B1 (ko) 고차 전력분석공격에 대응하는 블록 암호 알고리즘aria의 암호화 방법
KR100737667B1 (ko) 암호 체계의 개인 키 저장 및 복원 방법과 장치
EP3188401B1 (en) Method and system for protecting a cryptographic operation
EP4000217B1 (en) Cryptographic pseudonym mapping method, computer system, computer program and computer-readable medium
US7123717B1 (en) Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm
Anandakumar Image cryptography using RSA algorithm in network security
US7050581B1 (en) Method for making secure one or several computer installations using a common secret key algorithm, use of the method and a computer system utilizing the method
Benhamouda et al. Easing Coppersmith methods using analytic combinatorics: Applications to public-key cryptography with weak pseudorandomness
US7496758B2 (en) Method and apparatus for protecting an exponentiation calculation by means of the chinese remainder theorem (CRT)
US7747012B2 (en) Process of security of an electronic unit with cryptoprocessor
KR100772550B1 (ko) 전력분석공격에 안전한 메시지 블라인딩 방법

Legal Events

Date Code Title Description
AS Assignment

Owner name: BULL CP8, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PATARIN, JACQUES;GOUBIN, LOUIS;REEL/FRAME:010230/0362

Effective date: 19990308

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: CP8 TECHNOLOGIES, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BULL CP8;REEL/FRAME:014981/0001

Effective date: 20001230

CC Certificate of correction
FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

FPAY Fee payment

Year of fee payment: 12